Advanced Configuration
REST API
FortiHypervisor includes a full featured REST API which exposes programmatic configuration of the majority of the appliance features. FortiHypervisor supports the following REST APIs:
- CMDB API
- Retrieve object meta data (default, schema)
- Retrieve object/table (with filter, format, start, count, other flags) o Create object
- Modify object o Delete object o Clone object o Move object
- Monitor API
o Retrieve/Reset endpoint stats (with filter, start, count) o Perform endpoint operations o Upload/Download files o Restore/Backup config o Upgrade/Downgrade firmware o Restart/Shutdown FHV o Create/Modify/Delete VMs o Start/Restart/Shutdown/PowerOff VMs
Detailed documentation of the FortiHypervisor REST API is available via the Fortinet Developer Network.
Virtual Networking
External Interfaces
All physical interfaces on FortiHypervisor can be viewed and configured under System > External Interfaces.
Creating new interfaces
It is possible to create new interface types for which can be connected to guest VMs: 802.3ad Interfaces
IEEE 802.3ad link aggregation enables ethernet interfaces to be grouped at the physical layer to form a single link layer interface, also known as a link aggregation group (LAG) or bundle. This interface uses Link Aggregation Control Protocol (LACP) to aggregate the interface and control the load distribution or packets across the interface group. Up to 10 interfaces can be configured in LAG.
Packets are load distributed by using a hashing algorithm based on the source/destination IP and ports of the packet.
An 802.3ad interface group provides both resilience and scaling of internet throughput. Redundant interfaces
The redundant interface configuration allows multiple interfaces to be grouped together in a similar way to 802.3ad, however they are not all active. Redundant interfaces operate in an ActivePassive configuration only, failing over when the active link fails.
A redundant interface group provides resilience only.
Virtual Switch
There are two modes that a switch interface can operate in the FortiHypervisor.
Bridge
The most common configuration mode is to associate an interface as part of a bridge where all interfaces configured in that bridge are part of a shared Layer2 broadcast domain.
External Interfaces (Physical, VLAN, 802.3ad and Redundant) can all be part of a bridge virtual switch. A virtual machine interface can be connected to a bridge with or without an External Interface
In the following example, the FortiGate VM Port1 interface is connected to the Virtual Switch “Bridge_External” which is also connected to the External Interface Port 1 which is a physical interface connected to the internet.
There is a second Virtual Switch “Bridge_Internal” which is only used to internally connect VM interfaces.
For the FortiMail and Linux VM to communicate with the Internet, the FortiGate would need to be configured to route and allow this traffic.
The configuration described would appear as shown below in the FortiHypervisor GUI. Note that only Bridge_External has an External Interface connected as Bridge_Internal is purely a virtual switch used to interconnect the VMs.
Passthrough
Passthrough mode directly connects a VM interface to an External Interface without the need for an intermediary Virtual Switch. Passthrough mode is a pre-requisite for FortiOS to offload network performance to the NP6 SPU.
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!